The Securities and Exchange Commission reached an agreement with Equiniti Trust for $850,000 to settle charges the company failed to secure millions of dollars in client funds related to two separate cyber intrusions.
Equiniti, formerly known as American Stock Transfer & Trust, was hacked in 2022 and 2023, resulting in the loss of $6.6 million in client funds. The company recovered about $2.6 million and fully reimbursed clients, the SEC said in an announcement last week.
“American Stock Transfer failed to provide the safeguards necessary to protect its clients funds and securities from the types of cyber intrusions that have become a near constant threat to companies and markets,” Monique Winkler, director of the SEC’s San Francisco regional office, said in a prepared statement.
The order found the company was in violation of the Securities Exchange Act of 1934. Beyond the civil penalty, Equiniti also agreed to a cease-and-desist order and censure, according to the SEC.
“The SEC was satisfied with the swift and decisive actions taken by Equiniti, which included making all clients and shareholders whole, and this settlement concludes its investigation,” a spokesperson for Equiniti said via email.
The combined entity was created following the merger of American Stock Transfer and Equiniti Trust, which was completed in June 2023, according to the SEC.
The company said it has made and will continue to make significant investments to make sure client funds are protected from fraud.
Behind the incidents
The first incident, in September 2022, involved an unknown hacker hijacking an existing email chain between the company, then operating as American Stock Transfer, and a U.S.-based public issuer client.
The hacker pretending to be an employee of the issuer, instructed American Stock Transfer to issue millions of new shares, liquidate the shares and send them to a bank in Hong Kong. The company sent $4.78 million to a Hong Kong bank, but was later able to recover about $1 million.
In the April 2023 incident, an unknown hacker used stolen Social Security numbers belonging to legitimate American Stock Transfer account holders to create fake accounts linked to real accounts. The hacker stole about $1.9 million, however the company was later able to recover about $1.6 million.
Attorney Sagar Ravi, a partner at McDermott Will & Emery and former federal prosecutor, said the company had warned employees about the rising use of business email compromise, but that internal guidance was not enough for the SEC.
“The SEC blamed the company for not confirming that its email guidance was read by employees, for not providing training to employees, and for not ensuring that call-backs were performed,” Ravi told Cybersecurity Dive via email.
The agreement is one of the first major cyber cases settled at the SEC since the July court ruling dismissing most of the civil fraud charges against SolarWinds in connection with the 2020 Sunburst malware attacks.
That case is proceeding in federal court on a more limited set of charges.
